The General Data Protection Regulation (GDPR) enactment is a little less than a month and a half away. Gartner states that more than 50% of GDPR impacted organisations will not be prepared by the end of 2018. Businesses are rushing to figure out how to reach compliance by May 25. However, many organisations fail to realize that GDPR compliance is a business-as-usual activity after the enactment date. It’s not a checkbox compliance exercise.
GDPR requires that organisations continuously protect their customers’ data privacy using a combination of people, processes, and technology. A comprehensive security strategy and the right security technologies are ideal for maintaining GDPR compliance.
Below are three critical technical controls for maintaining GDPR compliance after May 25.
Protecting Personal Data
The GDPR is a robust set of data privacy regulations that covers consumer rights and organisational responsibilities. The GDPR’s broadest requirement states that organisations must provide “data protection by design and by default.”
Many organisations simply don’t know what data they have or what data could be targeted by attackers in a breach. Under the GDPR, it’s become imperative that you know the answers to these questions. Your security team or security provider must know what types of data you have, where it’s used, how it’s used, and who has access. A data mapping or data classification exercise is commonly one of the first steps to GDPR compliance.
A Security Information and Event Management (SIEM) solution can help complete this step by gathering your data from multiple devices (firewalls, network, anti-malware, etc.) into one centralized platform. The SIEM allows a security team or security provider to monitor end user and system activity continuously and correlate the data generated up against malicious activity.
Under the GDPR, it becomes increasingly important to control how and where personal data is stored and accessed. Your security team or security provider should monitor data, create meaningful alerts in the event of an unauthorized attempt to access data, and encrypt any sensitive personal data.
If you have visibility into who has access to your data, you will be able to control who has privileged access. In other words, you must be able to control user access during provisioning and de-provisioning. Privileged accounts and vendor accounts can leave your organisation exposed to a whole host of problems.
Need a high-level overview of the GDPR? Grab our comprehensive guide to the GDPR here.
Continuous Monitoring & Threat Detection
The GDPR puts forth several articles (Article 25 & 32) which require an organisation to implement data protection principles and continuous monitoring. In the same way that SIEM can ingest data, it also correlates your data from devices to alert you of urgent security incidents. It also takes data and identifies trends and aligns those to the cyber attack kill chain. Threat detection and intelligence using a SIEM provides reliable and timely information for when a breach occurs and helps you prioritize the most significant threats to your data.
It’s imperative that organisations implement the right technical controls to ensure data security after May 25. Continuous monitoring and threat detection can aid greatly in this pursuit.
Breach Response & Notification
Finally, under Article 33 of the GDPR, your organisation must report a data breach within 72 hours without “undue delay.” You don’t have to report every breach to the Data Protection Authorities (DPAs). Only when the data breach is likely to result in a high-risk to the rights and freedoms of EU data subjects. Organisations are also tasked with notifying the public of any serious breach after notifying the DPAs.
Even so, finding out where the breach occurred, what areas have been affected, and how it happened is no easy feat. Therefore, it becomes increasingly important for your organisation to have the processes in place to investigate and report a breach quickly and effectively. Data breaches are inevitable. Organisations must focus on improving their mean-time-to-detect (MTTD) and mean-time-to-respond. These two metrics are vitally important in benchmarking how your organisation is protecting EU subject data.
A Managed Security Services Provider (MSSP) can help you leverage the power of a SIEM technology to speed up your monitoring, detection, and alerting workflows under the GDPR.